search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.58k stars 589 forks source link

Add timesketch analyze results to the CLI client #2846

Closed jaegeral closed 1 year ago

jaegeral commented 1 year ago

This pull requests adds a new subcommand in timesketch analyze : timesketch analyze results.

It also updates the corresponding documentation.

Some examples:

timesketch --sketch 2 --output-format text analyze results --analyzer account_finder --timeline 3
Results for analyzer [account_finder] on [sigma_events]:
SUCCESS - NOTE - Account finder was unable to extract any accounts.
timesketch --sketch 2 --output-format csv analyze results --analyzer account_finder --timeline 3
Unsupported output format: [csv] use [json / text]
timesketch --sketch 2 --output-format text analyze results --analyzer account_finder --timeline 3 --show-dependant
Results for analyzer [account_finder] on [sigma_events]:
Dependant: DONE - None - Feature extraction [gmail_accounts] extracted 0 features.
Dependant: DONE - None - Feature extraction [github_accounts] extracted 0 features.
Dependant: DONE - None - Feature extraction [linkedin_accounts] extracted 0 features.
Dependant: DONE - None - Feature extraction [rdp_ts_ipv4_addresses] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_client_ipv4_addresses] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_client_ipv4_addresses_2] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_host_ipv4_addresses] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_client_password_ipv4_addresses] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_disconnected_username] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_disconnected_ip_address] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_disconnected_port] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_failed_ip_address] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_failed_port] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_failed_method] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_subject_username] extracted 0 features.
Dependant: DONE - None - Feature extraction [email_addresses] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_domain] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_logon_id] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_logon_type] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_logon_process_name] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_workstation_name] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_process_id] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_process_name] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_ip_address] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_port] extracted 0 features.
SUCCESS - NOTE - Account finder was unable to extract any accounts.
Dependant: DONE - None - Feature extraction [rdp_rds_ipv4_addresses] extracted 0 features.
Dependant: DONE - None - Feature extraction [ssh_failed_username] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_subject_domain] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_subject_logon_id] extracted 0 features.
Dependant: DONE - None - Feature extraction [win_login_username] extracted 0 features.

(JSON one is shortened)

[
    {
        "analyzer": "feature_extraction",
        "index": "<timesketch_api_client.index.SearchIndex object at 0x7ff9079a7a60>",
        "results": "Feature extraction [gmail_accounts] extracted 0 features.",
        "session_id": 1,
        "status": "DONE",
        "timeline_id": 3
    },
    {
        "analyzer": "feature_extraction",
        "index": "<timesketch_api_client.index.SearchIndex object at 0x7ff9079a7910>",
        "results": "Feature extraction [github_accounts] extracted 0 features.",
        "session_id": 1,
        "status": "DONE",
        "timeline_id": 3
    }]